On October 24, the United States Attorney’s Office for the Southern District of New York (SDNY) filed a $1 billion civil mortgage fraud lawsuit against a mortgage lender and a major financial institution in connection with loans sold to the government-sponsored enterprises (GSEs), the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac). Filed as a complaint-in-intervention in a pending qui tam, or whistleblower, lawsuit, the complaint alleges that the mortgage lender engaged in a scheme to defraud the GSEs in connection with the mortgage loans it sold to them, and that the financial institution that later acquired the lender was aware of and continued the misconduct. The suit seeks damages and penalties under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA). This is the first civil suit brought by the Department of Justice concerning mortgages sold to the GSEs, and indicates that the government might commence other suits based on the sale of conventional mortgages to those entities.

The government’s allegations focus on a loan origination system initiated by the lender in 2006 that allegedly eliminated checkpoints on loan quality and led to fraud and other defects in the loans. The complaint alleges that the lender and the financial institution sold these loans to the GSEs but misrepresented that the loans complied with GSE requirements. The GSEs pooled the loans into mortgage backed securities and sold them to investors, subject to guarantees on principal and interest payments. As the allegedly defective loans defaulted, the GSEs suffered over $1 billion in losses through the payment of guarantees to investors. Read more…

On October 24, the CFPB issued a final rule that will allow the Bureau to supervise certain debt collectors. Under this rule, debt collectors will be required to provide certain disclosures, provide accurate information, maintain a consumer complaint and dispute-resolution process, and communicate civilly and honestly with consumers. Beginning January 2, 2013, the CFPB will be able to examine and take enforcement actions against any entity that has more than $10 million in annual receipts from consumer debt collection activities. The CFPB anticipates that the rule will cover approximately 175 third-party debt collectors, debt buyers, and collection attorneys. The final rule retains the proposed annual receipts threshold used to identify “larger participants” but excludes from the definition of annual receipts those receipts that result from collecting debts originally owed to a medical provider. The final rule also limits covered consumer debt collection activities to those conducted by “debt collectors,” which are defined as persons whose principal business activity is debt collection or that “regularly” engage in debt collection. The CFPB declined to provide a blanket exemption to attorneys, as some commenters argued was required by the Dodd-Frank Act. Concurrent with the release of the final rule, the CFPB published procedures for use in examining covered debt collectors. This rule is the second “larger participant” rule, and it follows the July 2012 consumer reporting rule. The Dodd-Frank Act requires the CFPB to promulgate a rule to define “larger participant” nonbanks in certain consumer financial services markets.

On October 24, Nevada Attorney General (AG) Catherine Cortez Masto announced the resolution of an investigation into a financial institution’s purchasing and securitization of subprime and payment option adjustable rate mortgages. The Nevada AG’s investigation concerned potential misrepresentations by lenders with regard to loans with such terms as adjustable rates, stated income, 100 percent financed, extended amortization periods, prepayment penalties, and/or initial teaser rate. The Nevada AG was examining whether the securitizer knowingly purchased such loans and substantially assisted the lenders by financing and purchasing their potentially deceptive loans. To resolve the investigation, the securitizer agreed to pay $42 million and to abstain from financing, purchasing, or securitizing Nevada subprime mortgage loans in the future unless it has engaged in a “reasonable review” of such loans and determined that the loans comply with the Nevada Deceptive Trade Practices Act.

On October 22, FinCEN issued advisory guidance to financial institutions for filing Suspicious Activity Reports (SARs) on conduct related to third-party payment processors. The FinCEN guidance lists several potential red flags with regard to these payment processors, including (i) fraud, (ii) accounts at multiple financial institutions, (iii) money laundering, (iv) enhanced risk, (v) solicitation for business, and (vi) elevated rate of return of unauthorized debit transactions. To identify suspicious activity involving payment processors, FinCEN suggests that financial institutions review and update their anti-money laundering programs, monitor whether legal actions are pending against payment processors, and verify that payment processors have all required state licenses and registrations. In addition, financial institutions may be required to file SARs if they know or suspect that a payment processor has conducted a transaction involving funds derived from illegal activity, or where a payment processor has attempted to disguise funds derived from illegal activity. When completing SARs related to payment processors, FinCEN requests that financial institutions (i) check the appropriate box on the SAR form indicating the type of suspicious activity, and (ii) include the term “Payment Processor” in the narrative and the subject occupation portions of the SAR.

On October 23, the U.S. District Court for the District of Puerto Rico denied motions to dismiss gross negligence claims against former directors and officers brought by the FDIC as receiver for a failed bank. The court further held that the FDIC as receiver is not precluded from recovering under the directors and officers’ insurance policies. W Holding Co. v. Chartis Ins. Co.-Puerto Rico, No. 11-2271, slip op. (D. Puerto Rico Oct. 23, 2012). The FDIC sued former officers and directors of the bank, alleging that they were grossly negligent in approving and administering commercial real estate, construction, and asset-based loans and transactions and seeking over $176 million in damages. The court concluded that the FDIC could not maintain claims for ordinary negligence against the former officers and directors because of the business judgment rule, but that the FDIC had stated sufficient facts to allege a plausible claim for gross negligence. The court held that (i) the FDIC’s complaint adequately specified which alleged misconduct was attributable to each director or officer, (ii) the claims should not be dismissed on statute of limitations grounds, and (iii) separate claims against certain former officers and directors concerning fraudulent conveyances should not be dismissed. In addition, the court denied the insurers’ motions to dismiss the FDIC’s claims for coverage under the directors and officers’ liability policies. The court held that the policies’ “insured versus insured” exclusion did not apply to an action by the FDIC as receiver because the FDIC was suing on behalf of depositors, account holders, and a depleted insurance fund.

On October 22, the CFPB announced that it has begun accepting consumer complaints regarding the activities of consumer reporting agencies (CRAs). In July 2012, the CFPB issued a rule that granted the Bureau authority, effective September 30, 2012, to supervise firms with more than $7 million in annual receipts from consumer reporting activities. As part of its new supervision activities, the CFPB is seeking consumer complaints with regard to (i) incorrect information on a credit report, (ii) a consumer reporting agency’s investigation, (iii) the improper use of a credit report, (iv) being unable to get a copy of a credit score or file, and (v) credit-monitoring or identity-protection services. The CFPB encourages consumers to attempt to resolve any problems directly with the CRA before submitting a complaint to the CFPB in order to take full advantage of certain rights afforded by federal consumer financial laws.

On October 22, the FTC announced a proposed consent order with an Internet tracking and analytics company that allegedly gathered personal data without consumer consent and failed to honor its promises to protect personal data. According to the FTC, Compete Inc. encouraged consumers to download its tracking software by promising rewards and information about the websites that customers visited. After installation, Compete’s software automatically collected information that consumers entered into websites, including usernames, passwords, search terms, and credit card and Social Security numbers. The FTC stated that Compete violated promises to consumers to collect only the names of websites that consumers visited, to remove personally identifiable information, and to protect consumer information. The proposed consent order requires Compete to (i) fully disclose what information it collects, (ii) obtain consumers’ express consent prior to collecting data, (iii) delete or anonymize previously collected information, and (iv) implement an information security program with regular third-party audits for the next twenty years.

On October 17, the U.S. District Court for the Northern District of Ohio held that the post-repossession notice requirements in the Ohio Retail Installment Sales Act (RISA) and the Ohio Uniform Commercial Code (OUCC) were not preempted by the National Banking Act (NBA) and OCC regulations. White v. Wells Fargo Bank, N.A., Case No. 1:12 CV 943, 2012 WL 4958516 (N.D. Ohio Oct. 17, 2012). A group of borrowers allege on behalf of a putative class that the lender violated provisions of RISA and the OUCC when it repossessed and sold borrowers’ cars after the borrowers defaulted on their auto loans. The lender filed a motion to dismiss the action, claiming that, because it is a national bank, the NBA and applicable OCC regulations preempt borrowers’ RISA and OUCC claims. Following precedent from the Ninth and Fourth Circuits, the Ohio court held that the state laws regarding repossession notice requirements fell within the savings provision of the NBA and thus were not expressly preempted. The court also held that the federal government had not occupied the field of debt collection, and that the Ohio laws at issue do not relate to the bank’s lending operations and therefore do not significantly interfere with its ability to operate as a bank. Accordingly, the court denied the lender’s motion to dismiss on preemption grounds.

On October 23, the North American Securities Administrators Association (NASAA), a voluntary association whose membership consists of sixty-seven state, provincial, and territorial securities administrators in North America, published a report that indicates enforcement of state securities laws by U.S. state securities regulators is on the rise. The report reflects the results of a survey in which forty-eight U.S. NASAA members participated. According to the report, more than 2,600 administrative, civil and criminal enforcement actions involving nearly 3,700 respondents and defendants were reported by the states in 2011, including a near doubling of enforcement actions against investment adviser firms from the previous year. The report presents other summary findings and enforcement trends, including new risks related to crowdfunding and Internet offers.

On October 18, the OCC issued Bulletin OCC 2012-33, which provides guidance to community banks with assets of $10 billion or less on how to implement stress testing to assess risk in their loan portfolios. Stress tests are exercises designed to gauge the potentially adverse impact that a hypothetical scenario might have on earnings, loan loss reserves, and capital levels. The OCC reiterated that stress testing procedures for smaller community banks do not need to be as sophisticated as those used by larger national banks, but noted that all banks are expected to assess their capital adequacy in relation to overall risks and to have a plan for maintaining appropriate capital levels. The bulletin also included explanations of specific types of stress testing, a sample method for performing stress tests on a basic portfolio, and a table of common real estate characteristics that should be considered when evaluating the impact of a stress event on specific property types. Additionally, the OCC announced the availability of a new tool for performing stress tests on income-producing commercial real estate loan portfolios. The OCC plans to host a teleconference for bankers on December 3, 2012 to discuss this new guidance.

On October 19, Fannie Mae and Freddie Mac (the GSEs) issued supplemental guidance regarding the new representation and warranty framework for mortgages sold or delivered to the GSEs on or after January 1, 2013. The GSEs originally announced the new framework on September 11, 2012.  Fannie Mae Selling Guide Lender Letter LL-2012-07, Freddie Mac Bulletin 2012-22, and a related Freddie Mac Industry Letter identify new elements of and effective dates for:  (i) quality control principles; (ii) quality control sample process; (iii) quality control review process; (iv) enforcement practices; and (v) ongoing communications with sellers and servicers. Additionally, the GSEs provided clarification regarding life of loan representations and warranties related to misstatements, misrepresentations, omissions, and data inaccuracies. Finally, Freddie Mac also revoked the automatic repurchase trigger it initially announced under the new framework.

On October 12, the U.S. Court of Appeals for the Ninth Circuit upheld provisional class certification for a plaintiff debtor, who claimed that a debt collector had violated  the Telephone Consumer Protection Act (TCPA)  by using an automatic dialer to place calls to plaintiff and other debtors’ cellular telephone numbers obtained via skip-tracing, and where the debtors also had not expressly consented to be called. Meyer v. Portfolio Recovery Assocs. LLC, No. 11-56600, 2012 WL 4840814 (9th Cir. Oct. 12, 2012). The debt collector argued, in part, that typicality or commonality issues should preclude class certification because some debtors might have agreed to be contacted at their telephone numbers, which were obtained after the debtors incurred the debt at issue. Citing a recent FCC declaratory ruling, the court noted that prior express consent is deemed granted only if the debtor provides a cellular telephone number at the time of the transaction that resulted in the debt at issue. The court thus rejected the debt collector’s argument, and held that debtors who provide their cellular telephone numbers after the time of the original transaction are not deemed to have consented to be contacted under the TCPA. In addition, the court upheld the district court’s grant of a preliminary injunction to the plaintiff, finding that he had established a likelihood of success on his TCPA claim and had demonstrated irreparable harm based on the debt collector’s continuing violations of that statute.

On October 19, the UK FSA announced that it fined a bank £4.2 million ($6.7 million) for failing to keep accurate records regarding 250,000 mortgages it was servicing. In monitoring a consumer forum website, the FSA found that certain of the bank’s borrowers had complained of being excluded from a bank program meant to remedy a separate problem. Upon investigation, the FSA determined that the bank held its mortgage information on two separate unaligned systems. The FSA also identified problems with two other processes where manual updates were not always carried out. The FSA claimed that, as a result of its recordkeeping practices, the bank relied on incorrect records for certain of its mortgages over a seven-year period. Because the bulk of the alleged misconduct occurred before the FSA’s new penalty framework came into force in March 2010, the penalty was assessed under the prior regime. Further, since the bank agreed to settle at an early stage of the investigation, it qualified for a 30% discount pursuant to the FSA’s executive settlement procedures.

On October 10, the South Carolina Supreme Court held that emails opened and retained by the recipient in a web-based email system are not protected under the Stored Communications Act (SCA), because they are not stored for the purposes of backup protection. Jennings v. Jennings, No. 27177, 2012 WL 4808545 (S.C. Oct. 10, 2012). The plaintiff sued an individual that gained unauthorized access to the plaintiff’s web-based email system, alleging, among other things, that the hacker violated the SCA. The SCA proscribes the unauthorized accessing of an electronic communication while it is in “electronic storage,” which in relevant part means that it is stored by an electronic communication service for the purpose of backup protection. The state supreme court noted that the plaintiff had opened the emails and retained them, but had not made any other copy of them. The court held that such emails, therefore, were not in “electronic storage” for the purposes of “backup” protection, reasoning that the plain meaning of “backup” does not apply to a single copy of a communication, i.e. web-based emails that are not downloaded to a computer or stored elsewhere.